Merge branch 'main' of github.com:Trusted-AI/adversarial-robustness-toolbox into gm-b

Author: TS-Lee

.github/workflows/ci-lingvo.yml

@@ -47,7 +47,7 @@ jobs:
           sudo apt-get update
           sudo apt-get -y -q install ffmpeg libavcodec-extra
           python -m pip install --upgrade pip setuptools wheel
-          pip install -q -r <(sed '/^scipy/d;/^matplotlib/d;/^pandas/d;/^statsmodels/d;/^numba/d;/^jax/d;/^h5py/d;/^Pillow/d;/^pytest-mock/d' requirements_test.txt)
+          pip install -q -r <(sed '/^scipy/d;/^matplotlib/d;/^pandas/d;/^statsmodels/d;/^numba/d;/^jax/d;/^h5py/d;/^Pillow/d;/^pytest/d;/^pytest-mock/d;/^torch/d;/^torchaudio/d;/^torchvision/d' requirements_test.txt)
           pip install scipy==1.5.4
           pip install matplotlib==3.3.4
           pip install pandas==1.1.5
@@ -60,7 +60,13 @@ jobs:
           pip install model-pruning-google-research==0.0.3
           pip install jax[cpu]==0.2.17
           pip install h5py==2.10.0
+          pip install pytest~=7.0.1
+          pip install pytest-flake8~=1.1.0
           pip install pytest-mock
+          pip install pytest-cov~=3.0.0
+          pip install torch==1.10.2+cpu --find-links https://download.pytorch.org/whl/cpu/torch_stable.html
+          pip install torchaudio==0.10.2+cpu --find-links https://download.pytorch.org/whl/cpu/torch_stable.html
+          pip install torchvision==0.11.3+cpu --find-links https://download.pytorch.org/whl/cpu/torch_stable.html
           pip list
       - name: Run ${{ matrix.name }} Tests
         run: ./run_tests.sh ${{ matrix.framework }}

.github/workflows/ci-pytorch.yml

@@ -25,12 +25,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: PyTorch 1.8.1 (Python 3.8)
-            framework: pytorch
-            python: 3.8
-            torch: 1.8.1+cpu
-            torchvision: 0.9.1+cpu
-            torchaudio: 0.8.1
           - name: PyTorch 1.9.1 (Python 3.8)
             framework: pytorch
             python: 3.8
@@ -43,6 +37,12 @@ jobs:
             torch: 1.10.2+cpu
             torchvision: 0.11.3+cpu
             torchaudio: 0.10.2+cpu
+          - name: PyTorch 1.11.0 (Python 3.8)
+            framework: pytorch
+            python: 3.8
+            torch: 1.11.0+cpu
+            torchvision: 0.12.0+cpu
+            torchaudio: 0.11.0
 
     name: ${{ matrix.name }}
     steps:

.github/workflows/ci-tensorflow-v1.yml

@@ -45,7 +45,9 @@ jobs:
           sudo apt-get update
           sudo apt-get -y -q install ffmpeg libavcodec-extra
           python -m pip install --upgrade pip setuptools wheel
-          pip install -r requirements_test.txt
+          pip install -q -r <(sed '/^pandas/d;/^scipy/d' requirements_test.txt)
+          pip install pandas==1.3.5
+          pip install scipy==1.7.2
           pip install tensorflow==${{ matrix.tensorflow }}
           pip install keras==${{ matrix.keras }}
           pip list

README-cn.md

@@ -1,4 +1,4 @@
-# Adversarial Robustness Toolbox (ART) v1.9
+# Adversarial Robustness Toolbox (ART) v1.10
 <p align="center">
   <img src="docs/images/art_lfai.png?raw=true" width="467" title="ART logo">
 </p>

README.md

@@ -1,4 +1,4 @@
-# Adversarial Robustness Toolbox (ART) v1.9
+# Adversarial Robustness Toolbox (ART) v1.10
 <p align="center">
   <img src="docs/images/art_lfai.png?raw=true" width="467" title="ART logo">
 </p>

art/__init__.py

@@ -12,7 +12,7 @@
 from art import preprocessing
 
 # Semantic Version
-__version__ = "1.9.1"
+__version__ = "1.10.0"
 
 # pylint: disable=C0103
 

art/attacks/attack.py

@@ -30,7 +30,7 @@
 from art.summary_writer import SummaryWriter, SummaryWriterDefault
 
 if TYPE_CHECKING:
-    from art.utils import CLASSIFIER_TYPE
+    from art.utils import CLASSIFIER_TYPE, GENERATOR_TYPE
 
 logger = logging.getLogger(__name__)
 
@@ -244,6 +244,50 @@ def poison(self, x: np.ndarray, y=Optional[np.ndarray], **kwargs) -> Tuple[np.nd
         raise NotImplementedError
 
 
+class PoisoningAttackGenerator(Attack):
+    """
+    Abstract base class for poisoning attack classes that return a transformed generator.
+    These attacks have an additional method, `poison_estimator`, that returns the poisoned generator.
+    """
+
+    def __init__(self, generator: "GENERATOR_TYPE") -> None:
+        """
+        :param generator: A generator
+        """
+        super().__init__(generator)
+
+    @abc.abstractmethod
+    def poison_estimator(
+        self,
+        z_trigger: np.ndarray,
+        x_target: np.ndarray,
+        batch_size: int,
+        max_iter: int,
+        lambda_p: float,
+        verbose: int,
+        **kwargs
+    ) -> "GENERATOR_TYPE":
+        """
+        Returns a poisoned version of the generator used to initialize the attack
+        :return: A poisoned generator
+        """
+        raise NotImplementedError
+
+    @property
+    def z_trigger(self):
+        """
+        Returns the secret attacker trigger
+        """
+        return self._z_trigger
+
+    @property
+    def x_target(self):
+        """
+        Returns the secret attacker target which the poisoned generator should produce
+        """
+        return self._x_target
+
+
 class PoisoningAttackTransformer(PoisoningAttack):
     """
     Abstract base class for poisoning attack classes that return a transformed classifier.

art/attacks/evasion/pixel_threshold.py

@@ -22,7 +22,7 @@
 | One Pixel Attack Paper link: https://arxiv.org/ans/1710.08864
 | Pixel and Threshold Attack Paper link: https://arxiv.org/abs/1906.06026
 """
-# pylint: disable=C0302
+# pylint: disable=C0302,C0413
 from __future__ import absolute_import, division, print_function, unicode_literals
 
 import logging
@@ -39,16 +39,22 @@
 # Otherwise may use Tensorflow's implementation of DE.
 
 from six import string_types
+import scipy
 from scipy._lib._util import check_random_state
-from scipy.optimize.optimize import _status_message
-from scipy.optimize import OptimizeResult, minimize
-from tqdm.auto import tqdm
-
-from art.config import ART_NUMPY_DTYPE
-from art.attacks.attack import EvasionAttack
-from art.estimators.estimator import BaseEstimator, NeuralNetworkMixin
-from art.estimators.classification.classifier import ClassifierMixin
-from art.utils import check_and_transform_label_format
+
+scipy_version = list(map(int, scipy.__version__.lower().split(".")))
+if scipy_version[1] >= 8:
+    from scipy.optimize._optimize import _status_message  # pylint: disable=E0611
+else:
+    from scipy.optimize.optimize import _status_message  # pylint: disable=E0611
+from scipy.optimize import OptimizeResult, minimize  # noqa
+from tqdm.auto import tqdm  # noqa
+
+from art.config import ART_NUMPY_DTYPE  # noqa
+from art.attacks.attack import EvasionAttack  # noqa
+from art.estimators.estimator import BaseEstimator, NeuralNetworkMixin  # noqa
+from art.estimators.classification.classifier import ClassifierMixin  # noqa
+from art.utils import check_and_transform_label_format  # noqa
 
 if TYPE_CHECKING:
     from art.utils import CLASSIFIER_NEURALNETWORK_TYPE

art/attacks/inference/attribute_inference/baseline.py

@@ -29,7 +29,13 @@
 
 from art.estimators.classification.classifier import ClassifierMixin
 from art.attacks.attack import AttributeInferenceAttack
-from art.utils import check_and_transform_label_format, float_to_categorical, floats_to_one_hot, get_feature_values
+from art.utils import (
+    check_and_transform_label_format,
+    float_to_categorical,
+    floats_to_one_hot,
+    get_feature_values,
+    get_feature_index,
+)
 
 if TYPE_CHECKING:
     from art.utils import CLASSIFIER_TYPE
@@ -65,11 +71,6 @@ def __init__(
         """
         super().__init__(estimator=None, attack_feature=attack_feature)
 
-        if isinstance(self.attack_feature, int):
-            self.single_index_feature = True
-        else:
-            self.single_index_feature = False
-
         self._values: Optional[list] = None
 
         if attack_model:
@@ -108,6 +109,7 @@ def __init__(
             raise ValueError("Illegal value for parameter `attack_model_type`.")
 
         self._check_params()
+        self.attack_feature = get_feature_index(self.attack_feature)
 
     def fit(self, x: np.ndarray) -> None:
         """
@@ -117,13 +119,13 @@ def fit(self, x: np.ndarray) -> None:
         """
 
         # Checks:
-        if self.single_index_feature and isinstance(self.attack_feature, int) and self.attack_feature >= x.shape[1]:
+        if isinstance(self.attack_feature, int) and self.attack_feature >= x.shape[1]:
             raise ValueError("attack_feature must be a valid index to a feature in x")
 
         # get vector of attacked feature
         y = x[:, self.attack_feature]
-        self._values = get_feature_values(y, self.single_index_feature)
-        if self.single_index_feature:
+        self._values = get_feature_values(y, isinstance(self.attack_feature, int))
+        if isinstance(self.attack_feature, int):
             y_one_hot = float_to_categorical(y)
         else:
             y_one_hot = floats_to_one_hot(y)
@@ -161,7 +163,7 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
         predictions = self.attack_model.predict(x_test).astype(np.float32)
 
         if self._values is not None:
-            if self.single_index_feature:
+            if isinstance(self.attack_feature, int):
                 predictions = np.array([self._values[np.argmax(arr)] for arr in predictions])
             else:
                 i = 0

art/attacks/inference/attribute_inference/black_box.py

@@ -32,7 +32,13 @@
 from art.estimators.classification.classifier import ClassifierMixin
 from art.attacks.attack import AttributeInferenceAttack
 from art.estimators.regression import RegressorMixin
-from art.utils import check_and_transform_label_format, float_to_categorical, floats_to_one_hot, get_feature_values
+from art.utils import (
+    check_and_transform_label_format,
+    float_to_categorical,
+    floats_to_one_hot,
+    get_feature_values,
+    get_feature_index,
+)
 
 if TYPE_CHECKING:
     from art.utils import CLASSIFIER_TYPE, REGRESSOR_TYPE
@@ -83,10 +89,6 @@ def __init__(
                                          `estimator` is a regressor and if `scale_range` is not supplied.
         """
         super().__init__(estimator=estimator, attack_feature=attack_feature)
-        if isinstance(self.attack_feature, int):
-            self.single_index_feature = True
-        else:
-            self.single_index_feature = False
 
         self._values: Optional[list] = None
         self._attack_model_type = attack_model_type
@@ -131,6 +133,7 @@ def __init__(
         self.scale_range = scale_range
 
         self._check_params()
+        self.attack_feature = get_feature_index(self.attack_feature)
 
     def fit(self, x: np.ndarray, y: Optional[np.ndarray] = None) -> None:
         """
@@ -144,7 +147,7 @@ def fit(self, x: np.ndarray, y: Optional[np.ndarray] = None) -> None:
         if self.estimator.input_shape is not None:
             if self.estimator.input_shape[0] != x.shape[1]:
                 raise ValueError("Shape of x does not match input_shape of model")
-        if self.single_index_feature and isinstance(self.attack_feature, int) and self.attack_feature >= x.shape[1]:
+        if isinstance(self.attack_feature, int) and self.attack_feature >= x.shape[1]:
             raise ValueError("`attack_feature` must be a valid index to a feature in x")
 
         # get model's predictions for x
@@ -162,8 +165,8 @@ def fit(self, x: np.ndarray, y: Optional[np.ndarray] = None) -> None:
 
         # get vector of attacked feature
         y_attack = x[:, self.attack_feature]
-        self._values = get_feature_values(y_attack, self.single_index_feature)
-        if self.single_index_feature:
+        self._values = get_feature_values(y_attack, isinstance(self.attack_feature, int))
+        if isinstance(self.attack_feature, int):
             y_one_hot = float_to_categorical(y_attack)
         else:
             y_one_hot = floats_to_one_hot(y_attack)
@@ -210,7 +213,7 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
         if pred.shape[0] != x.shape[0]:
             raise ValueError("Number of rows in x and y do not match")
         if self.estimator.input_shape is not None:
-            if self.single_index_feature and self.estimator.input_shape[0] != x.shape[1] + 1:
+            if isinstance(self.attack_feature, int) and self.estimator.input_shape[0] != x.shape[1] + 1:
                 raise ValueError("Number of features in x + 1 does not match input_shape of model")
 
         if RegressorMixin in type(self.estimator).__mro__:
@@ -234,7 +237,7 @@ def infer(self, x: np.ndarray, y: Optional[np.ndarray] = None, **kwargs) -> np.n
         predictions = self.attack_model.predict(x_test).astype(np.float32)
 
         if self._values is not None:
-            if self.single_index_feature:
+            if isinstance(self.attack_feature, int):
                 predictions = np.array([self._values[np.argmax(arr)] for arr in predictions])
             else:
                 i = 0